Windows & .NET Magazine Security UPDATE--August 13, 2003

[InfoSec News <isn () c4i org>]

====================

==== This Issue Sponsored By ====

Shavlik HFNetChkPro Patch Management
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa

Ecora Software
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrM0AT

====================

1. In Focus: The Risks of Sharing Vulnerability Information

2. Security Risks
     - DoS in Crob FTP Server 2.60.1

3. Announcements
     - Windows & .NET Magazine Connections: for Security-Minded IT
       Pros
     - Try Windows & .NET Magazine!

4. Security Roundup
     - News: ISC Detects RPC/DCOM Worm
     - News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the
       Horizon
     - Feature: New Features in SP3a

5. Security Toolkit
     - Virus Center
         - Virus Alert: W32/Mimail
     - FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for
       IP Routing Between the Demilitarized Zone (DMZ) and the 
       Internal Network?

6. Event
     - New--Mobile & Wireless Road Show!

7. New and Improved
     - Install Secure, Affordable Remote Access Appliance
     - Detect Critical Security Flaw and Repair Systems for Free
     - Submit Top Product Ideas

8. Hot Threads
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Firewall Service on ISA Server Fails to
 Start
     - HowTo Mailing List
         - Featured Thread: Disabling Unneeded Services

9. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: Shavlik HFNetChkPro Patch Management ====

   Patch MS03-026 and get FREE 25% Maintenance!
   Immediately deploy critical patch MS03-026 and get FREE 25%
maintenance for the first year when you order HFNetChkPro by 8/31/03!
Easily scan for & install SP4 and MS03-026 with Shavlik HFNetChkPro
and make a powerful impact on your enterprise security. Now's the time
to get patched and stay patched with the leading security patch
management solution. Download our free version at
 http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa

====================

==== 1. In Focus: The Risks of Sharing Vulnerability Information ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

As you know, the past few weeks have been full of reports about
possible impending attacks on Windows networks across the globe
because of the recently discovered remote procedure call
(RPC)/Distributed COM (DCOM) security problem. The release of code
that attackers could use to exploit unprotected systems intensified
those debates.

As I write this commentary, the speculation about a widespread attack
is beginning to manifest itself in a new worm, known as Blaster,
MBlast, or Lovesan. More than 10,000 systems probably infected with
the worm are scanning to discover vulnerable systems. You can read
about the worm in "ISC Detects RPC/DCOM Worm," in this edition of
Security UPDATE.

At the same time, security professionals continue to debate the issues
involved in having available knowledge about security vulnerabilities
and having available code that attackers could twist into ready
exploits--but the debates haven't reached any consensus. However,
maybe this worm will shift the opinions.

A news story I read recently offers food for further thought. Although
the story isn't related to computer security, it's related in a
general sense to full disclosure and to a key element in determining
someone's potential culpability--intent.

A young man (Sherman Austin) has been arrested, charged, and sent to
prison for his alleged intentions regarding information to which he
linked from his Web site. The Web site he linked to offered
bomb-making information. As we know, anyone can obtain such
information in the public domain (e.g., in libraries). Apparently,
Austin's prosecution (which ended in a plea bargain) wasn't based on
his use of "bomb-making" materials but on his linking from his Web
site to such material. You can read more about the case at the URL
below:
   http://www.eff.org/br/20030807_eff_pr.php

The matter of intent raises interesting questions about full
disclosure in the computer security arena. At any given step in the
disclosure proceedings, what's the intent of somebody who discloses
security vulnerability information--and can that intent be known?

Amid much talk about cyber-terrorism, you hear debates about what kind
of security vulnerability information to release, when to release it,
and to whom to release it. The blame game is also popular: Some users
are blamed for not patching their systems; other users are blamed for
providing too much vulnerability information (whether information or
code); and vendors are blamed for faults in their products. Because of
the widespread use of various OSs, one tiny ripple not handled
correctly can cause a tidal wave of problems. The hype about perceived
potential damage often compounds the problem.

The RPC/DCOM problem offers a good example of how even the best
intentions regarding vulnerability disclosure simply aren't enough. In
this instance, those involved in discovering and reporting the problem
followed the proposed guidelines of both the Organization for Internet
Safety (OIS), which includes the vendor (Microsoft), in handling the
vulnerability, subsequent disclosure, and patch provisioning. Even so,
the proper process didn't stop people from learning more about the
vulnerability and writing code to "demonstrate" the problem.

At the same time that intruders morphed the code into attack tools,
the code revealed that the patch didn't work to prevent other aspects
of vulnerability. Clearly, having the code available can be a distinct
benefit.

Is such code the equivalent of "bomb-making" instructions? Might some
people assume that Web site and mailing list operators who support
full disclosure have malicious intent? Can a decision for or against
full-disclosure ever benefit everyone? I wonder whether Austin's
recent conviction offers a precedent that might apply to
cyber-security.

In Austin's case, intent is an essential element. Some security
researchers wear black hats and some white hats with pride. Still
others swap hats in different situations. However, because intent is
sometimes difficult if not impossible to know, prosecutors might make
assumptions and everyone's rights might be at risk.

If you have comments or predictions about disclosure issues,
discerning intent, and the rights involved, I'd like to hear them.
Send me an email with your comments.

====================

==== Sponsor: Ecora Software  ====

   Perform patch audits in minutes with Ecora Patch Manager
   How confident are you that all critical security patches are
deployed and up-to-date on every single system in your infrastructure?
Need some help figuring it all out before the next big worm attack? 
Try a free copy of Ecora Patch Manager. Designed for IT professionals
short on time, Patch Manager completely automates and simplifies the
entire patch management cycle in just minutes. See for yourself how
automation can save time, reduce costs, and keep your IT
infrastructure stable and secure. Download a free, fully-functional
trial of Ecora Patch Manager now!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrM0AT

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

DoS in Crob FTP Server 2.60.1
   "Zero X" has discovered a Denial of Service (DoS) vulnerability in
Crob FTP Server 2.60.1. If an attacker sends the FTP server a file
whose name contains words such as CON, AUX, COM1, LPT1, the server
might stop responding to legitimate requests. Crob Software Studio has
been notified.
   http://www.secadministrator.com/articles/index.cfm?articleid=39821

==== Sponsor: Virus Update from Panda Software ====

   Check for the latest anti-virus information and tools, including
weekly virus reports, virus forecasts, and virus prevention tips, at
Panda Software's Center for Virus Control.
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBlT0AU

   Viruses routinely infect "fully protected" networks. Is total
protection possible? Find answers in the free guide HOW TO KEEP YOUR
COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
networks, what they do, and the most effective weapons to combat them.
Protect your network effectively and permanently - download today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBDp0AI

====================

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

Windows & .NET Magazine Connections: for Security-Minded IT Pros
   How secure is your network? Have you ever been hacked? If you had
to lock down 100 machines in 5 minutes, could you do it? How has
Windows Server 2003 improved its security features? Want to stop spam?
Register for Windows & .NET Magazine Connections 2003 coming this fall
to Orlando, and get all the answers to these questions and much more!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0KXQ0AA

Try Windows & .NET Magazine!
  Every issue of Windows & .NET Magazine includes intelligent,
impartial, and independent coverage of security, Active Directory,
Microsoft Exchange Server, and more. Our expert authors deliver how-to
content you simply can't find anywhere else. Try a sample issue today,
and find out what more than 100,000 readers know that you don't!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw07q40Ak

==== 4. Security Roundup ====

News: ISC Detects RPC/DCOM Worm
   The Internet Storm Center (ISC) reports that it has captured an
remote procedure call (RPC)/Distributed COM (DCOM) worm capable of
spreading to Windows XP and Windows 2000 systems. According to ISC,
the worm uses RPC/DCOM to propagate itself, sending a self-extracting
6176-byte compressed file (about 11KB uncompressed). After the worm
executes on an infected system, it spawns a backdoor on port 4444,
then tries to download more worm files from a range of Trivial FTP
(TFTP) servers.
   http://www.secadministrator.com/articles/index.cfm?articleid=39837

News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the Horizon
   SuSE Linux and IBM recently received the Evaluation Assurance Level
2+ (EAL2+) security certification, a security-based rating that the
International Organization for Standardization (ISO) assigns under its
ISO 15408 standard. ISO gave the rating to SuSE Linux Enterprise
Server (SLES) 8 running on IBM's eServer xSeries hardware.
   http://www.secadministrator.com/articles/index.cfm?articleid=39803

Feature: New Features in SP3a
   All Microsoft SQL Server 2000 customers should have upgraded their
production systems to Service Pack 3 (SP3) by now for protection
against the Slammer worm and other security vulnerabilities. But
Microsoft recently released SP3a without much fanfare. What does SP3a
address, and who needs to upgrade to it? Microsoft's original Web page
describing SP3a didn't specify what new features the service pack
included or whether you needed to apply SP3a if you were already using
SP3. However, Microsoft's SP3a download site has now provided clearer
answers to these questions, which Brian Moran discusses in this
article.
   http://www.secadministrator.com/articles/index.cfm?articleid=39761

==== 5. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

Virus Alert: W32/Mimail
   The code that the W32/Mimail virus carries can spread rapidly
through email. The virus exploits two Microsoft Internet Explorer (IE)
vulnerabilities, both of which Microsoft resolved some time ago.
W32/Mimail sends itself in email to the addresses it finds in various
files with extensions other than .com, .wav, .cab, .pdf, .rar, .zip,
.tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg, and
.bmp. To learn more about the virus, visit Panda Software's site for a
complete description.
   http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=3961

FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for IP
Routing Between the Demilitarized Zone (DMZ) and the Internal Network?
   contributed by Jan De Clercq

A. On Windows NT systems, IP routing is disabled by default. To enable
IP routing in NT, go to Network Settings, TCP/IP Properties. On the
Routing tab, select the Enable IP Forwarding check box. You can also
enable the feature from the registry. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
registry subkey, and set the EnableIPRouter value (of type REG_DWORD)
to 1. Reboot the system to effect the change.

To guarantee that no one enables your Web servers for IP routing
without your knowledge, make sure that you configure the appropriate
NT access-control and auditing options on the EnableIPRouter registry
subkey and that only authorized users have access to your Web servers.
You might also invest in an integrity-checking tool that alerts you
when your system's configuration changes. For an overview of NT system
integrity-checking tools, see "NT Gatekeeper: Learning About NT
Integrity-Checking Tools," February 2002, InstantDoc ID 23461.
   http://www.secadministrator.com/articles/index.cfm?articleid=23461

==== 6. Event ====

New--Mobile & Wireless Road Show!
   Learn more about the wireless and mobility solutions that are
available today! Register now for this free event!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BA8Y0Ag

==== 7. New and Improved ====
   by Sue Cooper, products () winnetmag com

Install Secure, Affordable Remote Access Appliance
   Celestix Networks launched the Celestix RAS3000, a Windows 2003
Server-powered remote access appliance for VPNs. The rack-mounted
appliance supports up to 1000 simultaneous VPN connections through
wired or wireless connections. You can install multiple appliances for
an unlimited total number of VPN clients. The RAS3000's management
software offers load balancing, real-time alerting and monitoring, and
historical reporting. The appliance supports all Windows OSs including
Pocket PC 2002. The Celestix RAS3000 costs $5995 for up to 1000
concurrent connections and is available from authorized VARs and
resellers. Contact Celestix on the company's Web site.
    http://www.celestix.com

Detect Critical Security Flaw and Repair Systems for Free
   Shavlik Technologies released a free Detection and Repair Kit to
discover whether your network is at risk for attack because of the
critical security flaw described in Microsoft Bulletin MS03-026
(Buffer Overrun In RPC Interface Could Allow Code Execution). The kit
provides unlimited network scanning and assessment for a single
machine or thousands of machines, to inform your IT staff where fixes
are required. The Detection and Repair Kit automatically deploys the
MS03-026 patch on up to 50 servers. To download the Detection and
Repair Kit, go to http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrN0AU Contact
Shavlik Technologies at 800-690-6911, 651-426-6624, or
 info () shavlik com.
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa

Submit Top Product Ideas
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

==== 8. Hot Threads ====

Windows & .NET Magazine Online Forums
   http://www.winnetmag.com/forums

Featured Thread: Firewall Service on ISA Server Fails to Start
   (One message in this thread)

A user writes that he just installed Internet Security and
Acceleration (ISA) server on a Windows Server 2003, and it works well.
However, he removed RRASto configure a VPN, then added it back. Since
then, the firewall service won't start. The log states only that the
service failed to start (no reasons given).
   The only way he can start the service is to change its logon type,
remove RRAS, and restart the machine. He then changes the credentials
back, starts the firewall service, and adds back RRAS. Without RRAS,
his clients can't get to the Internet. He believes there might be some
conflict with RRAS. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61902

HowTo Mailing List
   http://63.88.172.96/listserv/page_listserv.asp?s=howto

Feature Thread: Disabling Unneeded Services
   (Five messages in this thread)

A user wants to know where he can find out what services he can safely
disable on his Windows 2000 Server. Lend a hand or read the responses:
  
 http://63.88.172.96/listserv/page_listserv.asp?A2=IND0308A&L=HOWTO&P=637

==== Sponsored Links ====

Ultrabac
   FREE live trial-Backup & Disaster Recovery software w/ encryption
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBi50Au

CrossTec
   Free Download - NEW NetOp 7.6 - faster, more secure, remote support
   http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBnb0Ak

===================

==== 9. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

====================
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
 today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

To make other changes to your email account such as change your email
address, update your profile, and subscribe or unsubscribe to any of
our email newsletters, simply log on to our Email Preference Center.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.